Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:106466 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 88243 invoked from network); 9 Aug 2019 05:00:20 -0000 Received: from unknown (HELO zeona.lv) (213.175.74.1) by pb1.pair.com with SMTP; 9 Aug 2019 05:00:20 -0000 Received: from MezhRoze (unknown [10.8.0.69]) by zeona.lv (Postfix) with ESMTP id 3DC312009DAB7 for ; Fri, 9 Aug 2019 05:27:37 +0300 (EEST) To: "'PHP internals'" References: In-Reply-To: Date: Fri, 9 Aug 2019 05:27:37 +0300 Message-ID: <000001d54e5a$02ac09f0$08041dd0$@roze.lv> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Outlook 15.0 Thread-Index: AQHjzwR+XvJt6M7mF5GjTobLDXnEoQIpyUV8Alb9DGYB+yJwYaahMopA Content-Language: lv Subject: RE: [PHP-DEV] [RFC] [VOTE] Deprecate PHP's short open tags, again From: r@roze.lv ("Reinis Rozitis") > -----Original Message----- > From: Bishop Bettini [mailto:bishop@php.net] > > That's why I highlighted Robert Korulczyk's case study: only a = particular code path in a particular environment had the problem. > > The status quo enables deployments to fail insecurely. "secret"; is a trap waiting to spring. I would rather require ten = thousand > people secure their environment by running a script, than risk a = single person > exposing their credentials for all to steal. >=20 > I challenge everyone who's voted no to consider this balance. If the initial RFC would have been accepted as is (without the later = proposed changes after the lengthy discussion) you would have sprung the = same "trap" as in that particular case study - code would be exposed. Argument for "only a particular code path in a particular environment" = is somewhat weak because in that case why does even ' .user.ini' = feature exists (especially in apache sapi where you can even do engine = =3D 0) as it also can lead to wildly different language behaviour? rr